Changeset 239612 in webkit

Timestamp:

Jan 4, 2019 9:04:09 AM (5 years ago)

Author:

yusukesuzuki@slowstart.org

Message:

[JSC] Optimize Object.prototype.toString
​https://bugs.webkit.org/show_bug.cgi?id=193031

Reviewed by Saam Barati.

JSTests:

• stress/object-tostring-changed-proto.js: Added.

(shouldBe):
(test):

• stress/object-tostring-changed.js: Added.

(shouldBe):
(test):

• stress/object-tostring-misc.js: Added.

(shouldBe):
(test):
(i.switch):

• stress/object-tostring-other.js: Added.

(shouldBe):
(test):

• stress/object-tostring-untyped.js: Added.

(shouldBe):
(test):
(i.switch):

Source/JavaScriptCore:

Object.prototype.toString is frequently used for type checking.
It is called many times in wtb-lebab.js. This patch optimizes
Object.prototype.toString by the following two optimizations.

1. We should emit code looking up cached to string in DFG and FTL.

toString's result is cached in the Structure. We emit a fast path code
in DFG and FTL to lookup this cache.

2. We should not create objects for primitive values in major cases.

When Object.prototype.toString(primitive) is called, this primitive is converted
to an object by calling ToObject. But if the result is appropriately cached in
the Structure, we should get it in the fast path without creating this object.
When converting primitives to objects, Structures used in these newly created objects
are known (Structure for StringObject etc.). So we can first query the cached string
before actually converting primitives to objects.

This patch improves wtb-lebab.js by roughly 2%.

before: lebab: 8.90 runs/s
after : lebab: 9.09 runs/s

• JavaScriptCore.xcodeproj/project.pbxproj:
• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleIntrinsicCall):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupObjectToString):

• dfg/DFGNodeType.h:
• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:
• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileObjectToString):

• dfg/DFGSpeculativeJIT.h:
• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• ftl/FTLAbstractHeapRepository.h:
• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileObjectToString):

• runtime/Intrinsic.cpp:

(JSC::intrinsicName):

• runtime/Intrinsic.h:
• runtime/ObjectPrototype.cpp:

(JSC::ObjectPrototype::finishCreation):
(JSC::objectProtoFuncToString):

• runtime/ObjectPrototype.h:
• runtime/ObjectPrototypeInlines.h: Added.

(JSC::structureForPrimitiveValue):
(JSC::objectToString):

• runtime/StructureRareData.h:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/object-tostring-changed-proto.js (added)
• JSTests/stress/object-tostring-changed.js (added)
• JSTests/stress/object-tostring-misc.js (added)
• JSTests/stress/object-tostring-other.js (added)
• JSTests/stress/object-tostring-untyped.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGDoesGC.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSafeToExecute.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLCapabilities.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/Intrinsic.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/Intrinsic.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/ObjectPrototype.cpp (modified) (4 diffs)
• Source/JavaScriptCore/runtime/ObjectPrototype.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/ObjectPrototypeInlines.h (added)
• Source/JavaScriptCore/runtime/StructureRareData.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
+
+        [JSC] Optimize Object.prototype.toString
+        https://bugs.webkit.org/show_bug.cgi?id=193031
+
+        Reviewed by Saam Barati.
+
+        * stress/object-tostring-changed-proto.js: Added.
+        (shouldBe):
+        (test):
+        * stress/object-tostring-changed.js: Added.
+        (shouldBe):
+        (test):
+        * stress/object-tostring-misc.js: Added.
+        (shouldBe):
+        (test):
+        (i.switch):
+        * stress/object-tostring-other.js: Added.
+        (shouldBe):
+        (test):
+        * stress/object-tostring-untyped.js: Added.
+        (shouldBe):
+        (test):
+        (i.switch):
+
 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
+
+        [JSC] Optimize Object.prototype.toString
+        https://bugs.webkit.org/show_bug.cgi?id=193031
+
+        Reviewed by Saam Barati.
+
+        Object.prototype.toString is frequently used for type checking.
+        It is called many times in wtb-lebab.js. This patch optimizes
+        Object.prototype.toString by the following two optimizations.
+
+        1. We should emit code looking up cached to string in DFG and FTL.
+
+        toString's result is cached in the Structure. We emit a fast path code
+        in DFG and FTL to lookup this cache.
+
+        2. We should not create objects for primitive values in major cases.
+
+        When Object.prototype.toString(primitive) is called, this primitive is converted
+        to an object by calling ToObject. But if the result is appropriately cached in
+        the Structure, we should get it in the fast path without creating this object.
+        When converting primitives to objects, Structures used in these newly created objects
+        are known (Structure for StringObject etc.). So we can first query the cached string
+        before actually converting primitives to objects.
+
+        This patch improves wtb-lebab.js by roughly 2%.
+
+            before:    lebab:  8.90 runs/s
+            after :    lebab:  9.09 runs/s
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupObjectToString):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileObjectToString):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileObjectToString):
+        * runtime/Intrinsic.cpp:
+        (JSC::intrinsicName):
+        * runtime/Intrinsic.h:
+        * runtime/ObjectPrototype.cpp:
+        (JSC::ObjectPrototype::finishCreation):
+        (JSC::objectProtoFuncToString):
+        * runtime/ObjectPrototype.h:
+        * runtime/ObjectPrototypeInlines.h: Added.
+        (JSC::structureForPrimitiveValue):
+        (JSC::objectToString):
+        * runtime/StructureRareData.h:
+
 2019-01-03  Michael Saboff  <msaboff@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1625 +1625 @@
                 BC18C4450E16F5CD00B34460 /* ObjectConstructor.h in Headers */ = {isa = PBXBuildFile; fileRef = BC2680C70E16D4E900A06E92 /* ObjectConstructor.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 BC18C4460E16F5CD00B34460 /* ObjectPrototype.h in Headers */ = {isa = PBXBuildFile; fileRef = BC2680C90E16D4E900A06E92 /* ObjectPrototype.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                5E158AC350BC4EC7877DC0F4 /* ObjectPrototypeInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 6D0CC9E1CBC149AB8F403434 /* ObjectPrototypeInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 BC18C4480E16F5CD00B34460 /* Operations.h in Headers */ = {isa = PBXBuildFile; fileRef = F692A8780255597D01FF60F7 /* Operations.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 BC18C44B0E16F5CD00B34460 /* Parser.h in Headers */ = {isa = PBXBuildFile; fileRef = 93F0B3AA09BB4DC00068FCE3 /* Parser.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -4487 +4488 @@
                 BC2680C80E16D4E900A06E92 /* ObjectPrototype.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ObjectPrototype.cpp; sourceTree = "<group>"; };
                 BC2680C90E16D4E900A06E92 /* ObjectPrototype.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ObjectPrototype.h; sourceTree = "<group>"; };
+                6D0CC9E1CBC149AB8F403434 /* ObjectPrototypeInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ObjectPrototypeInlines.h; sourceTree = "<group>"; };
                 BC2680E60E16D52300A06E92 /* NumberConstructor.lut.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = NumberConstructor.lut.h; sourceTree = "<group>"; };
                 BC3046060E1F497F003232CF /* Error.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Error.h; sourceTree = "<group>"; };
@@ -7001 +7003 @@
                                 BC2680C80E16D4E900A06E92 /* ObjectPrototype.cpp */,
                                 BC2680C90E16D4E900A06E92 /* ObjectPrototype.h */,
+                                6D0CC9E1CBC149AB8F403434 /* ObjectPrototypeInlines.h */,
                                 F692A8770255597D01FF60F7 /* Operations.cpp */,
                                 F692A8780255597D01FF60F7 /* Operations.h */,
@@ -9448 +9451 @@
                                 0FD3E40C1B618B6600C80E1E /* ObjectPropertyConditionSet.h in Headers */,
                                 BC18C4460E16F5CD00B34460 /* ObjectPrototype.h in Headers */,
+                                5E158AC350BC4EC7877DC0F4 /* ObjectPrototypeInlines.h in Headers */,
                                 E124A8F70E555775003091F1 /* OpaqueJSString.h in Headers */,
                                 14F79F70216EAFD200046D39 /* Opcode.h in Headers */,

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -2618 +2618 @@
         clobberWorld();
         setTypeForNode(node, SpecArray);
+        break;
+    }
+
+    case ObjectToString: {
+        AbstractValue& source = forNode(node->child1());
+        bool clobbering = node->child1().useKind() != OtherUse;
+        if (JSValue sourceValue = source.m_value) {
+            if (sourceValue.isUndefinedOrNull()) {
+                if (clobbering)
+                    didFoldClobberWorld();
+                setConstant(node, *m_graph.freeze(sourceValue.isUndefined() ? m_vm.smallStrings.undefinedObjectString() : m_vm.smallStrings.nullObjectString()));
+                break;
+            }
+        }
+
+        if (clobbering)
+            clobberWorld();
+        setTypeForNode(node, SpecString);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -2699 +2699 @@
         insertChecks();
         set(result, addToGraph(ObjectKeys, get(virtualRegisterForArgument(1, registerOffset))));
+        return true;
+    }
+
+    case ObjectPrototypeToStringIntrinsic: {
+        insertChecks();
+        Node* value = get(virtualRegisterForArgument(0, registerOffset));
+        set(result, addToGraph(ObjectToString, value));
         return true;
     }

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -682 +682 @@
         return;
 
+    case ObjectToString:
+        switch (node->child1().useKind()) {
+        case OtherUse:
+            def(PureValue(node));
+            return;
+        case UntypedUse:
+            read(World);
+            write(Heap);
+            return;
+        default:
+            RELEASE_ASSERT_NOT_REACHED();
+            return;
+        }
+
     case AtomicsAdd:
     case AtomicsAnd:

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -373 +373 @@
     case StringSlice:
     case StringValueOf:
+    case ObjectToString:
     case CreateRest:
     case ToLowerCase:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -2145 +2145 @@
         case StringValueOf: {
             fixupStringValueOf(node);
+            break;
+        }
+
+        case ObjectToString: {
+            fixupObjectToString(node);
             break;
         }
@@ -2932 +2937 @@
     }
 
+    void fixupObjectToString(Node* node)
+    {
+        if (node->child1()->shouldSpeculateOther()) {
+            fixEdge<OtherUse>(node->child1());
+            node->clearFlags(NodeMustGenerate);
+            return;
+        }
+    }
+
     bool attemptToMakeFastStringAdd(Node* node)
     {

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -267 +267 @@
     macro(ObjectCreate, NodeMustGenerate | NodeResultJS) \
     macro(ObjectKeys, NodeMustGenerate | NodeResultJS) \
+    macro(ObjectToString, NodeMustGenerate | NodeResultJS) \
     \
     /* Atomics object functions. */\

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -64 +64 @@
 #include "NumberConstructor.h"
 #include "ObjectConstructor.h"
+#include "ObjectPrototypeInlines.h"
 #include "Operations.h"
 #include "ParseInt.h"
@@ -72 +73 @@
 #include "ScopedArguments.h"
 #include "StringConstructor.h"
+#include "StructureRareDataInlines.h"
 #include "SuperSampler.h"
 #include "Symbol.h"
@@ -2153 +2155 @@
     throwVMTypeError(exec, scope);
     return nullptr;
+}
+
+JSString* JIT_OPERATION operationObjectToString(ExecState* exec, EncodedJSValue source)
+{
+    VM& vm = exec->vm();
+    NativeCallFrameTracer tracer(&vm, exec);
+    return objectToString(exec, JSValue::decode(source));
 }
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -206 +206 @@
 JSString* JIT_OPERATION operationStringValueOf(ExecState*, EncodedJSValue);
 JSString* JIT_OPERATION operationToLowerCase(ExecState*, JSString*, uint32_t);
+JSString* JIT_OPERATION operationObjectToString(ExecState*, EncodedJSValue);
 
 char* JIT_OPERATION operationInt32ToString(ExecState*, int32_t, int32_t);

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -885 +885 @@
         case StringSlice:
         case ToLowerCase:
+        case ObjectToString:
             setPrediction(SpecString);
             break;

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -453 +453 @@
     case StringSlice:
     case ToLowerCase:
+    case ObjectToString:
     case GetMapBucket:
     case GetMapBucketHead:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -12454 +12454 @@
 }
 
+void SpeculativeJIT::compileObjectToString(Node* node)
+{
+    switch (node->child1().useKind()) {
+    case OtherUse: {
+        JSValueOperand source(this, node->child1(), ManualOperandSpeculation);
+        GPRTemporary result(this);
+
+        JSValueRegs sourceRegs = source.jsValueRegs();
+        GPRReg resultGPR = result.gpr();
+
+        speculateOther(node->child1(), sourceRegs);
+
+        auto isUndefined = m_jit.branchIfUndefined(sourceRegs);
+        m_jit.move(TrustedImmPtr::weakPointer(m_jit.graph(), m_jit.vm()->smallStrings.nullObjectString()), resultGPR);
+        auto done = m_jit.jump();
+        isUndefined.link(&m_jit);
+        m_jit.move(TrustedImmPtr::weakPointer(m_jit.graph(), m_jit.vm()->smallStrings.undefinedObjectString()), resultGPR);
+        done.link(&m_jit);
+
+        cellResult(resultGPR, node);
+        return;
+    }
+    case UntypedUse: {
+        JSValueOperand source(this, node->child1());
+
+        JSValueRegs sourceRegs = source.jsValueRegs();
+
+        GPRTemporary structure(this);
+        GPRTemporary scratch(this);
+
+        GPRReg structureGPR = structure.gpr();
+        GPRReg scratchGPR = scratch.gpr();
+
+        CCallHelpers::JumpList slowCases;
+        slowCases.append(m_jit.branchIfNotCell(sourceRegs));
+        slowCases.append(m_jit.branchIfNotObject(sourceRegs.payloadGPR()));
+
+        m_jit.emitLoadStructure(*m_jit.vm(), sourceRegs.payloadGPR(), structureGPR, scratchGPR);
+        m_jit.loadPtr(CCallHelpers::Address(structureGPR, Structure::previousOrRareDataOffset()), scratchGPR);
+
+        slowCases.append(m_jit.branchTestPtr(CCallHelpers::Zero, scratchGPR));
+        slowCases.append(m_jit.branch32(CCallHelpers::Equal, CCallHelpers::Address(scratchGPR, JSCell::structureIDOffset()), TrustedImm32(bitwise_cast<int32_t>(m_jit.vm()->structureStructure->structureID()))));
+
+        m_jit.loadPtr(CCallHelpers::Address(scratchGPR, StructureRareData::offsetOfObjectToStringValue()), scratchGPR);
+        slowCases.append(m_jit.branchTestPtr(CCallHelpers::Zero, scratchGPR));
+
+        addSlowPathGenerator(slowPathCall(slowCases, this, operationObjectToString, scratchGPR, sourceRegs));
+
+        cellResult(scratchGPR, node);
+        return;
+    }
+    default:
+        DFG_CRASH(m_graph, node, "Bad use kind");
+        return;
+    }
+}
+
 void SpeculativeJIT::compileObjectCreate(Node* node)
 {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1481 +1481 @@
     void compileToThis(Node*);
     void compileObjectKeys(Node*);
+    void compileObjectToString(Node*);
     void compileObjectCreate(Node*);
     void compileCreateThis(Node*);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -3104 +3104 @@
     case StringValueOf: {
         compileToStringOrCallStringConstructorOrStringValueOf(node);
+        break;
+    }
+
+    case ObjectToString: {
+        compileObjectToString(node);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -3346 +3346 @@
     case StringValueOf: {
         compileToStringOrCallStringConstructorOrStringValueOf(node);
+        break;
+    }
+
+    case ObjectToString: {
+        compileObjectToString(node);
         break;
     }

trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h

@@ -121 +121 @@
     macro(Structure_structureID, Structure::structureIDOffset()) \
     macro(StructureRareData_cachedOwnKeys, StructureRareData::offsetOfCachedOwnKeys()) \
+    macro(StructureRareData_objectToStringValue, StructureRareData::offsetOfObjectToStringValue()) \
     macro(HashMapImpl_capacity, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfCapacity()) \
     macro(HashMapImpl_buffer,  HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfBuffer()) \

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -334 +334 @@
     case StringSlice:
     case ToLowerCase:
+    case ObjectToString:
     case NumberToStringWithRadix:
     case NumberToStringWithValidRadixConstant:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -938 +938 @@
             compileStringFromCharCode();
             break;
+        case ObjectToString:
+            compileObjectToString();
+            break;
         case GetByOffset:
         case GetGetterSetterByOffset:
@@ -6418 +6421 @@
             DFG_CRASH(m_graph, m_node, "Bad use kind");
             break;
+        }
+    }
+
+    void compileObjectToString()
+    {
+        switch (m_node->child1().useKind()) {
+        case OtherUse: {
+            speculate(m_node->child1());
+            LValue source = lowJSValue(m_node->child1(), ManualOperandSpeculation);
+            LValue result = m_out.select(m_out.equal(source, m_out.constInt64(ValueUndefined)),
+                weakPointer(vm().smallStrings.undefinedObjectString()), weakPointer(vm().smallStrings.nullObjectString()));
+            setJSValue(result);
+            return;
+        }
+        case UntypedUse: {
+            LBasicBlock cellCase = m_out.newBlock();
+            LBasicBlock objectCase = m_out.newBlock();
+            LBasicBlock notNullCase = m_out.newBlock();
+            LBasicBlock rareDataCase = m_out.newBlock();
+            LBasicBlock slowCase = m_out.newBlock();
+            LBasicBlock continuation = m_out.newBlock();
+
+            LValue source = lowJSValue(m_node->child1());
+            m_out.branch(isCell(source, provenType(m_node->child1())), unsure(cellCase), unsure(slowCase));
+
+            LBasicBlock lastNext = m_out.appendTo(cellCase, objectCase);
+            m_out.branch(isObject(source, provenType(m_node->child1()) & SpecCell), unsure(objectCase), unsure(slowCase));
+
+            m_out.appendTo(objectCase, notNullCase);
+            LValue structure = loadStructure(source);
+            LValue previousOrRareData = m_out.loadPtr(structure, m_heaps.Structure_previousOrRareData);
+            m_out.branch(m_out.notNull(previousOrRareData), unsure(notNullCase), unsure(slowCase));
+
+            m_out.appendTo(notNullCase, rareDataCase);
+            m_out.branch(
+                m_out.notEqual(m_out.load32(previousOrRareData, m_heaps.JSCell_structureID), m_out.constInt32(m_graph.m_vm.structureStructure->structureID())),
+                unsure(rareDataCase), unsure(slowCase));
+
+            m_out.appendTo(rareDataCase, slowCase);
+            LValue objectToStringValue = m_out.loadPtr(previousOrRareData, m_heaps.StructureRareData_objectToStringValue);
+            ValueFromBlock fastResult = m_out.anchor(objectToStringValue);
+            m_out.branch(m_out.isNull(objectToStringValue), unsure(slowCase), unsure(continuation));
+
+            m_out.appendTo(slowCase, continuation);
+            LValue slowResultValue = vmCall(pointerType(), m_out.operation(operationObjectToString), m_callFrame, source);
+            ValueFromBlock slowResult = m_out.anchor(slowResultValue);
+            m_out.jump(continuation);
+
+            m_out.appendTo(continuation, lastNext);
+            setJSValue(m_out.phi(pointerType(), fastResult, slowResult));
+            return;
+        }
+        default:
+            DFG_CRASH(m_graph, m_node, "Bad use kind");
+            return;
         }
     }

trunk/Source/JavaScriptCore/runtime/Intrinsic.cpp

@@ -122 +122 @@
     case ObjectKeysIntrinsic:
         return "ObjectKeysIntrinsic";
+    case ObjectPrototypeToStringIntrinsic:
+        return "ObjectPrototypeToStringIntrinsic";
     case ReflectGetPrototypeOfIntrinsic:
         return "ReflectGetPrototypeOfIntrinsic";

trunk/Source/JavaScriptCore/runtime/Intrinsic.h

@@ -74 +74 @@
     ObjectIsIntrinsic,
     ObjectKeysIntrinsic,
+    ObjectPrototypeToStringIntrinsic,
     ReflectGetPrototypeOfIntrinsic,
     StringPrototypeValueOfIntrinsic,

trunk/Source/JavaScriptCore/runtime/ObjectPrototype.cpp

@@ -28 +28 @@
 #include "JSString.h"
 #include "JSCInlines.h"
+#include "ObjectPrototypeInlines.h"
 #include "PropertySlot.h"
 #include "StructureInlines.h"
@@ -43 +44 @@
 static EncodedJSValue JSC_HOST_CALL objectProtoFuncPropertyIsEnumerable(ExecState*);
 static EncodedJSValue JSC_HOST_CALL objectProtoFuncToLocaleString(ExecState*);
+static EncodedJSValue JSC_HOST_CALL objectProtoFuncToString(ExecState*);
 
 STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE(ObjectPrototype);
@@ -59 +61 @@
     didBecomePrototype();
     
-    JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->toString, objectProtoFuncToString, static_cast<unsigned>(PropertyAttribute::DontEnum), 0);
+    JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->toString, objectProtoFuncToString, static_cast<unsigned>(PropertyAttribute::DontEnum), 0, ObjectPrototypeToStringIntrinsic);
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->toLocaleString, objectProtoFuncToLocaleString, static_cast<unsigned>(PropertyAttribute::DontEnum), 0);
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->valueOf, objectProtoFuncValueOf, static_cast<unsigned>(PropertyAttribute::DontEnum), 0);
@@ -312 +314 @@
 EncodedJSValue JSC_HOST_CALL objectProtoFuncToString(ExecState* exec)
 {
-    VM& vm = exec->vm();
-    auto scope = DECLARE_THROW_SCOPE(vm);
-
     JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
-    if (thisValue.isUndefinedOrNull())
-        return JSValue::encode(thisValue.isUndefined() ? vm.smallStrings.undefinedObjectString() : vm.smallStrings.nullObjectString());
-    JSObject* thisObject = thisValue.toObject(exec);
-    EXCEPTION_ASSERT(!!scope.exception() == !thisObject);
-    if (!thisObject)
-        return JSValue::encode(jsUndefined());
-
-    auto result = thisObject->structure(vm)->objectToStringValue();
-    if (result)
-        return JSValue::encode(result);
-
-    PropertyName toStringTagSymbol = vm.propertyNames->toStringTagSymbol;
-    RELEASE_AND_RETURN(scope, JSValue::encode(thisObject->getPropertySlot(exec, toStringTagSymbol, [&] (bool found, PropertySlot& toStringTagSlot) -> JSValue {
-        if (found) {
-            JSValue stringTag = toStringTagSlot.getValue(exec, toStringTagSymbol);
-            RETURN_IF_EXCEPTION(scope, { });
-            if (stringTag.isString()) {
-                JSRopeString::RopeBuilder<RecordOverflow> ropeBuilder(vm);
-                ropeBuilder.append(vm.smallStrings.objectStringStart());
-                ropeBuilder.append(asString(stringTag));
-                ropeBuilder.append(vm.smallStrings.singleCharacterString(']'));
-                if (ropeBuilder.hasOverflowed())
-                    return throwOutOfMemoryError(exec, scope);
-
-                JSString* result = ropeBuilder.release();
-                thisObject->structure(vm)->setObjectToStringValue(exec, vm, result, toStringTagSlot);
-                return result;
-            }
-        }
-
-        String tag = thisObject->methodTable(vm)->toStringName(thisObject, exec);
-        RETURN_IF_EXCEPTION(scope, { });
-        String newString = tryMakeString("[object ", WTFMove(tag), "]");
-        if (!newString)
-            return throwOutOfMemoryError(exec, scope);
-
-        auto result = jsNontrivialString(&vm, newString);
-        thisObject->structure(vm)->setObjectToStringValue(exec, vm, result, toStringTagSlot);
-        return result;
-    })));
+    return JSValue::encode(objectToString(exec, thisValue));
 }
 

trunk/Source/JavaScriptCore/runtime/ObjectPrototype.h

@@ -46 +46 @@
 };
 
-JS_EXPORT_PRIVATE EncodedJSValue JSC_HOST_CALL objectProtoFuncToString(ExecState*);
-
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/StructureRareData.h

@@ -82 +82 @@
     bool hasSharedPolyProtoWatchpoint() const { return static_cast<bool>(m_polyProtoWatchpoint); }
 
+    static ptrdiff_t offsetOfObjectToStringValue()
+    {
+        return OBJECT_OFFSETOF(StructureRareData, m_objectToStringValue);
+    }
+
     static JSImmutableButterfly* cachedOwnKeysSentinel() { return bitwise_cast<JSImmutableButterfly*>(static_cast<uintptr_t>(1)); }